Skip to content

IT4K12 – Privacy in the Digital Space

June 5, 2015

IT4K12 2015

I have an opportunity to be at BCERAC’s IT4K12 conference in Vancouver June 4/5, 2015. These posts are my notes from the various sessions.- Todd

Matt Reed
Matt.Reed@gov.bc.ca
Ministry of Education
Office of Chief Information Officer

Matt says he wants to see everyone do cool things, but be responsible about it. Easier to say “How can we help you do that” instead of just saying “No”.

OCIO responsible for FOIPPA, Personal Information Protection Act (PIPA), Information Management Act (IMA), and Electronic Transactions Act (ETA). They come and do training wherever, and attempt to be as helpful as possible.

Also the OIPC, Information and Privacy Commissioner, Elizabeth Denham is the BC Information and Privacy Commissioner works separately, and oversees investigations, mediations, reviews.

FOIPPA specifically applies to “public bodies” in BC.

Show Your Work – Matt reminded us that it is important to show that we are doing the work, document our processes and what we’re doing so that when we are asked, we’ll have detail and data to demonstrate.

Privacy Impact Assessment

  • If used as part of normal business processes, the PIA can ensure that privacy requirements are identified and satisfied in a timely and cost efficient manner.
  • PIA process is also designed as an educational tool – participating in privacy impact assessments promotes privacy awareness
  • The PIA can make the difference between a privacy invasive and a privacy enhancing initiative, without compromising business objectives or adding significant costs.
  • Ministry has a number of resources here.

Collection of Personal Information

  • Collection of personal information must be limited to that which is necessary and relevant
  • Collection must be direct (unless excepted under FOIPPA)
  • Collection notification must be given (unless excepted under FOIPPA)
  • Social Media is interesting, because lots of information is put out there, but it’s not supposed to be used for collecting information

Here is an example from @BCEDPLAN: Notice the collection notice link:

bcedplan collection

Disclosure, Storage and Access

  • Personal information must not be disclosed inside/outside of Canada, unless an exception in FOIPPA applies
  • Storage and access must be inside Canada, unless an exception in FOIPPA applies (note, B.C. is one of only two jurisdictions in Canada with this requirement)
  • Reasonable security must be in place to protect from unauthorized access

Security

  • A public body must make reasonable security arrangements to protect personal information (s. 30)
  • Should be appropriate and proportional to the sensitivity of the personal information e.g. suspension information vs. lunch order
  • Safeguards should include:
    • Physical measures (e.g. locked file cabinets, restricted access to offices)
    • Technological measures (e.g. user IDs, passwords, encryption)
    • Have policies and procedures for keeping files secured

Of interest, perhaps Tokenization may be something that may help store / secure offsite.

De-identification may be a way to remove information, so that’s what is left does not have personally identifiable substance. (Could be manual tokenization;) Could provide a unique identifier to a student so that they know the data is theirs, but no one else does. For example storing a report card without a name, but with a unique code that the student knows)

If we can’t do these things, consent makes the allowance – that is, if you have consent to store information outside of the country, then there are ways to make it happen.

Consent Forms

  • Does it cover all of the personal information?
  • Is it specific enough / clear enough?
  • Does it contain all of the required elements?
  • Is it signed / agreed to by the correct person?

Suggest that Middle / High School students sign for consent, and parents are essentially only witnesses, which is different than how we normally see consent in schools.

Privacy by Design – www.privacybydesign.ca has some great content that although not B.C. will get you 90% of the way towards getting privacy done right.

BC Privacy and Access Helpline: 250-356-1851

(Enquiry BC 1 800 663-7867)

Privacy.Helpline@gov.bc.ca

Advertisements

From → ATLE, GHSD

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: